Event Viewer: Who logged in? Why am I seeing myself as "remote"?

I want the input from people who understand what the Event Viewer logs (Win 7 Enterprise) actually mean. Auditing is already enabled on my machine so it does have some logs.

Under Windows Logs/Security, I get many "Audit Success" logs with various Event IDs and Task category. I am not sure what to ignore and what to count. The accounts I use are a local admin account and a domain user account. But I see countless logins from, for example: the computer's name itself, SYSTEM (domain NT Authority) and something called SophosSAUSETUPPCO.

Are remote logons logged here? I also checked under Windows Logs/Microsoft/Windows for possible login information logs in the following directories:

RemoteApp and Desktop Connections: There's nothing stored here

RemoteAssistance: There's random logs here but only from a user called SYSTEM

RemoteDesktopServices-RdpCoreTS: There's nothing stored here

RemoteDesktopServices-RemoteDesktopSessionManager: There's nothing stored here

Then I looked here:

TerminalServices-LocalSessionManager: For some reason, nothing was logged here in between 22nd of last month and the 2nd of this month. All the logs I've checked here are from the two users I use myself.

This is where I'm a bit confused. Firstly, why are they all logged as "Remote Desktop Services" when I am logging into the accounts locally?

Secondly, why are logs missing for some dates? I've noticed a pattern of them missing on or around weekends. However, that is not always true. However, how are logs here between the evening of 22/03 and the morning of 02/04 non-existent? I also noticed this same gap from: 31st Jan to 7th Feb, Jan 11th to 16th and again from 16th to 23rd.

I also looked under :

TerminalServices-RemoteConnectionManager: All the logs here seem to be from users SYSTEM and NETWORK SERVICE.

Like the previous one, logs are sometimes missing during the weekend period. Logs here seem to be missing between: 22/03 and 03/04, 30th Jan to 7th Feb, Jan 11th to 25th and then 25th to 30th. There's also no logs present between 7th Jan and 11th.


I'd really appreciate it if someone helped me understand these things better. I wish to find out if someone else has been accessing/using this machine remotely. Any help is greatly appreciated.

Hi MSKHAN,

Im not a Netwoking investigator, wait for Samuria sure he's got links to a couple of investigative tools
As your running Enterprise its possible your receiving data from its activation server, this will be done using permissions from those 2 Services.

Are you using a VPN.



Roy

torchwood said:

Hi MSKHAN,

Im not a Netwoking investigator, wait for Samuria sure he's got links to a couple of investigative tools
As your running Enterprise its possible your receiving data from its activation server, this will be done using permissions from those 2 Services.

Are you using a VPN.



Roy

Hey Roy! Thanks for the response.

I hope Samuria will help shed more light on the matter.

I am running Win 7 Enterprise on a work laptop at home and using two accounts. One is a domain/user account and the other is a local admin account.

No, I am not using a VPN. I am connected to my home internet.

Hi MSKHAN,

In your case it will DEFINATELY talk to your companies server as your using a Domain profile, connected to them.

That does not explain the missing logs UNLESS there were rules set up by your companies IT dept BEFORE they gave you the comp.

Unfortunately we dont know what if any rules/restrictions they have put in place
AND we like all other forums have a Duty of Responsibility to them as well and as such we cant in all good faith make changes. Its a forum rule.

Have a chat with your IT Dept, and let them investigate


Roy

torchwood said:

Hi MSKHAN,

In your case it will DEFINATELY talk to your companies server as your using a Domain profile, connected to them.

That does not explain the missing logs UNLESS there were rules set up by your companies IT dept BEFORE they gave you the comp.

Unfortunately we dont know what if any rules/restrictions they have put in place
AND we like all other forums have a Duty of Responsibility to them as well and as such we cant in all good faith make changes. Its a forum rule.

Have a chat with your IT Dept, and let them investigate


Roy

Oh! I am not looking to make any changes.

All the settings were pre-configured to abide by the IT policy the machine has to abide to.

As I've mentioned in the earlier posts, I am trying to understand the discrepancies and detect potential security problems. Not having the knowledge, I can't tell the difference between what's normal and what's a sign of a security compromise. For example, I'd like to know if a certain preset rule is stopping the logging or if a potential attacker has removed them. I don't see how that can't be discussed here in good faith.

In any case, I'd trust the moderators here to make that judgement and even delete the thread if needed.